General Data Protection Regulation (GDPR) update – March 2017

There is also an updated timetable on what we can expect in terms of future guidance.

Consent guidance (consultation draft)

The GDPR makes it more difficult to rely on consent than is currently the case under the Data Protection Act (DPA). This consent guidance is a consultation draft, and the ICO’s first piece of detailed topic-specific GDPR guidance.

There is a high level “at a glance” summary at the start and a handy checklist at the end for collecting, recording and managing consent. Each section has “in brief” bullet points followed by “in more detail”.

There are examples of implied and explicit consent, a warning that employers and the public sector may find it difficult to rely on consent and a reminder of the need to “unbundle” consent, keeping the request for consent separate from the terms and conditions.

The ICO is seeking feedback on this guidance until 31 March 2017, and aims to issue the final guidance in May.

The draft consent guidance is here and the accompanying ICO blog is here.

We expect to hear more on consent later this year. The ICO is planning to issue a call for evidence to get a better sense of what technical solutions are available or being developed for obtaining and managing consent.

The Article 29 working party – which includes representatives from the ICO and other European data protection bodies – will be releasing its own guidance on consent too.

Big data paper

The big data, artificial intelligence, machine learning and data protection paper expands on the ICO’s first publication in 2014. It is not a GDPR guidance document as such, but where it refers to the DPA it will then refer to the revised position under the GDPR.

The ICO’s position is that big data analytics can bring benefits to business, society and individuals, but that the benefits of data protection can (and must) be delivered alongside.

There is a short conclusion in chapter 5, where the ICO states it will both support organisations and use its regulatory powers where necessary.

The paper contains examples of big data in practice. There is also a list of key recommendations in chapter 6, which are as follows:

• Anonymise where possible
• Be transparent (provide privacy notices)
• Use privacy impact assessments (“PIAs” – there is guidance on carrying out a PIA in a big data context in annex 1, where the ICO has also mapped the GDPR Data Protection Impact Assessment (DPIA) requirements onto its own PIA framework)
• Adopt a privacy by design approach
• Develop ethical principles
• Use auditable machine learning algorithms. This sixth recommendation is one way to ensure (and demonstrate) compliance of “black box” data processing activities such as machine learning: “baking in” auditability to algorithms in their development stage to enable third parties to check, monitor, review and critique their behaviour. Ultimately, this is to ensure that algorithms are doing what they were intended to do, and are not producing discriminatory, erroneous or unjustified results.

The paper has helpful “in brief” bullet point summaries. The paper may be found here and accompanying blog is available here.

The blog sets out the further work that the ICO is doing in this area, including:

• Developing a new information rights strategy;
• Publication of the ICO’s thinking on profiling to get feedback and contribute to the Article 29 working party guidance;
• Setting up a grants and contributions fund for research on information rights issues;
• Publication of a report on obtaining and combining datasets in mergers and acquisitions;
• Tendering for research on social scoring.(using social networks data to assess people);
• A privacy bridges project to bridge the gap between the EU and US on privacy protection; and
• Embedding information rights into higher education, to help address the privacy and security skills shortage, particularly in IT.

Where are we now?

The ICO’s data protection reform website is here. The ICO guidance we have so far is:

The Overview of the GDPR guidance: please ignore any PDF or printed copy you have from July 2016 as the definitive version is now online, and will continue to evolve online – this is the place to start.

Preparing for the GDPR: 12 steps to take now – the first piece of guidance.

The Privacy notices code of practice from October 2016.

What next?

The Article 29 working party has indicated that final versions of its draft guidance and FAQs on (a) data protection officers (b) lead authority (the “one stop shop”) and (c) data portability will be published by April 2017. You can find the draft guidance and FAQs here.

The Article 29 working party is planning the guidance on:

• Consent
• Transparency
• Profiling
• High risk processing
• Certification
• Administrative fines
• Breach notification
• Data transfers

The ICO is planning guidance on:

• Contracts and liability

In addition the ICO is:

• assessing the GDPR provisions on the cross-cutting areas of profiling and risk
• considering the GDPR provisions specific to children’s personal data, and
• consulting with relevant stakeholders about international transfers; I attended an ICO stakeholder workshop on transfers in January, so if you would like feedback from that, please let me know.

The ICO is aiming to publish guidance or discussion papers on some of these additional topics in the first half of 2017.

How can Ward Hadaway help?

For further information on the issues raised in this update or on any aspect of data protection, please get in touch.